data breach

Communicating to recover from a data breach

A few weeks back, I talked on this blog about how well BA had communicated in the wake of its data breach, telling people who were affected within 24 hours of its discovery. Just a few weeks later, we learned that Google+ is to close, having covered up a bug that meant outside developers had access to the personal data (name, email address, occupation, gender, age) of hundreds of thousands of users over a three-year period.
The contrast between the way the two breaches were handled couldn’t be more different. The Wall Street Journal reports that Google found out about (and fixed) the vulnerability in March, seven months before disclosing it in the seventh paragraph of a blog post titled ‘Protecting your data, improving our third-party APIs, and sunsetting consumer Google+’. The same article cites a leaked memo that says Google kept quiet in part because it didn’t want the PR headache of being compared to Facebook after the Cambridge Analytica scandal.
It’s not surprising, then, that trust in the ability of big tech companies to keep our data safe is falling, particularly in Google and Facebook. Personal data is the lifeblood of their businesses. Failing to disclose a security flaw that puts that data at risk betrays the trust of consumers who use it as currency to pay for the service. Google may not have considered its bug significant enough to warrant coming clean about it earlier, but was that its decision to make?
I ran a crisis management workshop last week (organised by The Social Element and our sister company, Polpeo) for the Digital Leadership Forum (DLF). The session was all about data protection, and we talked with some senior teams from major brands about the importance of clear and transparent communication during a data breach. Legal issues aside, there are enormous reputational damage to your brand if there’s even a hint that you’re covering up a problem. The speed at which information (and misinformation) travels over social media means that if you don’t communicate, someone else will do it for you – and they may not have all the facts. There may be a short-term hit to your reputation, share price or sales when you come clean, but recovery is far quicker if you’re honest.

Our advice on communicating to rebuild trust after a data breach is:

  1. Act quickly. As soon as you discover a flaw (and you know the facts), tell those who are affected. If you don’t, someone else will. Establish yourself as the voice of authority in the crisis.
  2. Communicate where your customers are. If they’re on social media, talk to them there. Don’t assume a press statement and a corporate web page is enough to get the message out.
  3. Fix the problem, and be seen to fix the problem. Tell people what you’ve done to make sure it will never happen again.
  4. Put yourself in your customers’ shoes. What would you want a company to do if your data had been compromised? Empathy is critical in a crisis and will help guide you to do the right thing.
  5. Communicate clearly, regularly and in plain language to build trust.
  6. Put a face to your communications. It might be your CEO, or your head of security, or someone else senior in the business – but trust is easier built by an individual than by an anonymous statement.
  7. Be honest. Don’t bury the truth or try to spin the facts.
  8. Listen to what people are saying about the breach on social media.  Correct misinformation and rumours, and keep an eye out for the scammers who will inevitably try to get in on the action and make the problem worse.
  9. Be prepared for the long-haul. Trust is built slowly, and lost fast. It takes time to repair.
  10. Finally, remember that trust is built through action, not through communication alone. Do the right thing, and tell people about it.
Contact Us
close slider